Chrome only browser left standing after day one of Pwn2Own

During a contest at the CanSecWest event, security researchers competed to …

Browser vendors often make strong claims about their responsiveness to vulnerability reports and their ability to preemptively prevent exploits. Security is becoming one of the most significant fronts in the new round of browser wars, but it's also arguably one of the hardest aspects of software to measure or quantify.

A recent contest at CanSecWest, an event that brings together some of the most skilled experts in the security community, has demonstrated that the three most popular browser are susceptible to security bugs despite the vigilance and engineering prowess of their creators. Firefox, Safari, and Internet Explorer were all exploited during the Pwn2Own competition that took place at the conference. Google's Chrome browser, however, was the only one left standing—a victory that security researchers attribute to its innovative sandbox feature.

The contest awards security researchers with hardware and cash prizes for finding efficient ways to trick browsers into executing arbitrary code. During the first day of the competition, the contestants are required to do this in default browser installations without plugins such as Flash or Java, which are commonly used as vectors for attacks. Researchers typically prepare for the event far in advance by finding zero-day exploits ahead of time.

Early this month, prior champion Charlie Miller told reporters that he would be attempting to exploit a Safari vulnerability on Mac OS X. Safari, he said, would be the first to succumb to the contestants. As he promised, Safari went down first: he was able to execute his prepared hack in only a matter of seconds. Another security expert known only as Nils took longer, but was able to successfully exploit all three of the most popular browsers.

These contests contribute to the growing culture of commercialism that surrounds the art of exploitation. In an interview with ZDNet, Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year. This is part of his new philosophy, he says, which is that bugs shouldn't be disclosed to vendors for free.

"I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller told ZDNet. "Apple pays people to do the same job so we know there's value to this work."

Miller also told reporters that he targeted Safari on Mac OS X because he believes that it is the easiest to exploit. Windows, on the other hand, he claims is tougher because of its address randomization feature and other security measures. As for Chrome, he says that he has identified a security bug in Google's browser but has been unable to exploit it because the browser's sandboxing feature and the operating system's security measures together pose a formidable challenge.

The game isn't over yet. During the second day of the event, the focus will turn towards Chrome. Nils, who demonstrated impressive skill during the first day by conquering the three most popular browsers, might have a few more tricks up his sleeve. According to the official rules, the participants will be permitted to use plugins during the second day.

It will be interesting to see what level of "Pwn" these exploits are at too. Assuming IE8 is in default configuration on Win7, owning the browser means you're still stuck in the sandbox. If they managed to break the sandbox (not at all clear from what's been said) THAT is noteworthy.

WiseWeasel: The rules say a winner has to provide an exploit that runs code. It doesn't say what the code has to do or what it has access to. In that interpretation of the rules, running code in the sandbox is still different than breaking the sandbox. Though again, without knowing any of the details, it's hard to say what's going on. They haven't even HINTED at what happened.

It's interesting that Miller feels that Nil's IE8 bug is worth at least 10 times more than his Safari bug.

Besides a higher market-share of IE, the method of finding the bug could be a point here. Last years Safari bug wasn't an actual bug in Safari, but in some open source library Safari was using. Maybe this years bug is the same. Open source bugs are generally easier to find.So from an artistic point of view, exploiting the closed source IE8 bug is more valuable than one in partially open source Safari.

Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year. This is part of his new philosophy, he says, which is that bugs shouldn't be disclosed to vendors for free.

So he sat on an exploitable vulnerability for a year so he could get a few bucks and a plug on a web site. Am I the only one that finds this attitude unethical and outright dangerous?

I think his philosophy for getting paid per bug is great. If all of the browsers set up programs for people to submit bugs and exploits for money it might draw the attention of high caliber programmers and those holes can be closed much faster. Of course, that would involve admitting that your browser has security bugs.

I'll be very curious what happens when Chrome comes to the Mac as they share much of the same base WebKit code as Safari does.

Before you dismiss me as some Apple fanbois or whatever hear me out because I have no vested interest in who won what...

I just can't believe what Charlie Miller said and worse, I can't believe I'm not hearing other security experts flipping their lids about this. His new "philosophy" is a bastardization of the goals of security in the first place. Sure you should be paid for your time and efforts, that is why you work at a security firm. Security firms make their money by consulting and advising clients. These contests he enters are bonus money where he gets paid twice for his time.

Miller's new philosophy is about greed over the community's well being (that of Mac user's security). This is a dangerous precedent to set in the world of security. He is basically demanding bribe money. Who is to say he wouldn't give up his research to the highest bidder? I'm sure there are blackhat groups that would pay for some juicy exploits.

Security firms should take notice of this philosophy and not employee those who engage in this behavior. It's bad form for his employer (ISE) and makes the security consultancy industry look bad too. Would you hire a security company that employees hackers who blackmail for bugs to work on your systems?

"Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year. This is part of his new philosophy, he says, which is that bugs shouldn't be disclosed to vendors for free."

I'm sorry, but what a friggin' asshole. He found it a year ago, and kept it to himself so that he could use it to make another $10,000? Greedy, greedy bastard.

So he demands to be paid to disclose a year old vulnerability in Safari, but happily reports vulnerabilities in Android for free. Seems he's got a bit of a double standard.

Fortunately this attitude is still rare amongst the vulnerability research community. Responsible disclosure remains the order of the day. There's nothing wrong with wanting to get paid for doing work you enjoy. But you cross a line when your desire to get paid puts others at risk. Especially when there are perfectly legitimate ways of being paid to research vulnerabilities such as working directly for one of the vendors or for an independent, honest security consultancy. Miller's idea, while technically legal, is morally equivalent to extortion. Breaking the responsible disclosure truce like this is just going to cause vendors to return to being openly antagonistic to vulnerability reporters. That helps nobody.

I imagine a large part of that IE share is v6, not 7 and certainly not 8. I'd estimate that most people don't even know how to upgrade IE, let alone know that there's a newer version.

Here's the other thing.

These exploits rely on "tricking" the user. This certainly isn't difficult, but its not the same as drive-by exploits common to IE5 and IE6.

While Firefox was exploited in this contest, what if the user has NoScript installed? Does the exploit do anything?

Of course, most people using IE won't switch to Firefox. Those that do because their geek friends installed it for them won't use NoScript. It will annoy them that they have to allow every site to view anything, like stupid youtube videos or whatever. And they deserve to get exploited by every browser hack for their laziness.

I'm going to venture out into the wild and say about 100% of those who have posted so far live in a capitalist society. So why are you complaining about this guy charging for his work again? This is his lively hood. The more bugs he finds, the more severe they are, and the more he can demand for them are all of extreme importance because this is how he supports himself. Apple, Microsoft, Google, Mozilla... they all pay people for this work. Say why not pay the guy who just made your employees look bad?

Opera likely wasn't tested because the monetary value of exploiting it is far lower than the others. It has a insignificant amount of market share and the company who develops it is resulting to law suits now. Love the browser or not you must think in logical terms here.

It has nothing to do with a capitalist society. Certainly, he has a right to be compensated for his work. However, it's irresponsible and morally reprehensible as a layman, and even moreso as a "security expert", to withold security information that could cause tremendous financial harm. If he considered himself a professional, he wouldn't hold out so he could make a little more money.

Did they deliberately leave out Opera, because it's got the best security track record???

yeah, i totally agree. while we're at it, why did they leave out Konqueror, K-meleon, Galeon, and iCab? this is such a totally unfair test and obviously irrelevant to the real world, since they left out all these major browsers.

1.) Kudos to Microsoft for not having the most insecure browser and operating system this year. That's a big step up for them.

2.) This whole discussion about ethics at a cracking convention where people are paid to hack into systems is laughable. The ethical precedent is that exploits are traded on the black market daily for money, other secrets, bragging rights, etc. Any time that exploits are exposed in a controlled environment and the creators of the product being exploited are notified with details of the exploit is a good thing. When people publicize exploits out of the goodness of their heart, they risk being sued. Being paid is an admission by the company that it is a legitimate business transaction. And yes, security houses do have to consider black-hat hackers. It's the old, "set a thief to catch a thief" trick.

3.) In terms of QA, you can prove that a product is vulnerable by finding an exploit, but there is no way to prove that a product is *not* vulnerable. Maybe they could have caught this through code reviews or more in-house penetration testing, but they can never catch every possibility. Shame on them if they get cracked in 10 seconds again next year though.

4.) Open source software is not easier or harder to exploit, it's just different. Sure, there are more black-hats looking at the code, but there are more white-hats looking at it too.

However, it's irresponsible and morally reprehensible as a layman, and even moreso as a "security expert", to withold security information that could cause tremendous financial harm. If he considered himself a professional, he wouldn't hold out so he could make a little more money.

How does this logic apply to the managers and officers of the companies that make these browsers, who decided to pad their pockets a little by electing not to spend more money on removing bugs and security flaws in the very products they're pushing out to the public?

Withholding information that could lead to patching an exploit may be morally shady, but promoting software with exploits that are clearly discoverable is more amoral. If security is so important to these companies, they would have no problem handing out $10k every time an independent hacker discovers a new security hole. And if security experts were required to inform the companies about every exploit they found, many security experts (such as Miller) might simply stop looking at all once they got compensated for their first one...

Is there something I'm missing here? It isn't like Swordfish where he sat down at a computer login screen over the net, typed in a few things while 'distracted' and managed to hack his way into a secure network in the space of a minute.

They have a known exploit going into the contest and likely have at least one machine they patch on a regular basis to insure it remains unfixed so they can pick up their 15 minutes of fame.

After a machine is hacked are the rest of the people allowed to perform their hacks for a prize as well? Nope. It's crossed off the list and there is no reason for anyone to show their mad skills, save it for next year and hope you get a better time slot.

While I don't condone what this person did by holding an exploit unknown for a year I can't say I blame him. It was obviously something difficult enough that nobody else in the community has pointed out to have fixed, including the software developer.

Well, all reviewer's / evaluators have this same problem to some extent. "He who pays the piper, calls the tunes".

Would you hire an "independent security consultant" who was receiving payments from the companies who products he was helping you secure? I might, but I wouldn't fool myself into thinking he was really "independent" and if he didn't disclose this information I would be pretty torqued.

People should get paid for their time, but some markets are trickier than others. As for sitting on security holes for a year, less obnoxious with commercial software than open source I guess. Still there should be a better way.

Yes Leopard randomizes the loading of frameworks and Safari lives in that environment. However Leopard's randomization can be worked out in process given how it is currently done (assuming you have a large enough vulnerability and access to said vulnerability). Of course Snow Leopard is going to improve on this but still you can still work it out (just gets harder and harder based on how granular external symbols are randomized at process creation). Just like on Windows randomization can't 100% block exploits, it just raises the bar in terms of difficulty.

As long as his intent was to sit on this bug and keep it undisclosed to *anyone* until this contest, I don't see an issue ethical or otherwise. Keep in mind that he might not have won the contest, so he was taking a gamble there as well. Knowing there is a contest with prize money for his exact work does not equal extortion.

Had he not won, and then decided to simply sell to the highest black hat bidder, that would be a different story. Had he lost the contest and then approached Apple with a "pay up or I'll set it loose" demand, that too would be a different story. But his (poorly worded) statement didn't seem to say either of these, simply that vendors shouldn't get these for free from independent researchers.

The argument that he did nothing wrong be keeping the exploit to himself for a year doesn't hold up. If I see that a bridge could fail, but I decide to keep it to myself until I have a chance to get paid by the DOT, is that ethical?

sprockkets, just because you are corrupt doesn't mean everyone is, or that their price is as low as yours.